user1883212
Reputation: 7849
How to simplify Splunk search with duplicated query statements
I wrote the following Splunk search that I plan to use for an alert:
index=* earliest=-1h source="*video-bic*.log" "Get video" |
dedup videoid | stats list(videoid) as l_videoid |
appendcols [search index=* earliest=-1h source="*video-bic*.log" "Get video" |
dedup videoid | stats count(videoid) as num_msgs] |
table num_msgs, l_videoid
It works but I would like to simplify it, so that I don't have to repeat this part of the query twice:
index=* earliest=-1h source="*video-bic*.log" "Get video"
Any ideas?
Upvotes: 0
Views: 174
Answers (1)
RichG
Reputation: 9906
The stats command accepts multiple arguments.
index=* earliest=-1h source="*video-bic*.log" "Get video"
| stats values(videoid) as l_videoid, dc(videoid) as num_msgs
| table num_msgs, l_videoid
For better efficiency, I removed the dedup command and replaced the list and count functions with values and dc (distinct_count), respectively.
Upvotes: 1
Related Questions
- Splunk filter one search by another
- SPLUNK use result from first search in second search
- Splunk conditional search
- Adding multiple expressions to single searchmatch in splunk query
- How to add multiple queries in one search in Splunk
- How to do compound query with where clause in Splunk?
- Splunk query based on the results of another query
- How to append two queries in splunk?
- How to combine two queries in Splunk?
- Splunk Query - Compute stats by removing duplicates and custom query